8

When I import a certificate, I'm offered the option to "automatically select the certificate store based on the type of certificate".

What basis does Windows use? Which types of certificate end up in which stores?

Roger Lipscombe
  • 2,177
  • 6
  • 24
  • 37

1 Answers1

1

Certificates are encoded with intended uses and I would assume those would be the best way to categorize the certificates.

Here's more info on the usages:

Mark Henderson
  • 68,823
  • 31
  • 180
  • 259
Mark Burnett
  • 180
  • 7
  • 1
    Is this just a guess? Neither of those links mention the store selection that this question is about. – Jon-Eric Apr 27 '16 at 21:24
  • No, it is not a guess, a key has fields (that I linked to) that indicate the type of certificate it is and how it should be used. Windows can pretty accurately know where to store it based on that. For example, if it is a client certificate it will place it in the personal store. If the cert can be used to sign other certs it would like go in the Intermediate Certification Authorities store. – Mark Burnett Apr 29 '16 at 23:15
  • I wonder if there's more to it. I just tried importing a client certificate whose sole Enhanced Key Usage is "Client Authentication (1.3.6.1.5.5.7.3.2)" and Windows automatically selected the Intermediate Certification Authorities store. In my case the decision seemed based on whether I had the associated private key, not the key usage. – Jon-Eric May 02 '16 at 19:26